How to Run VICIdial on AWS EC2

Running VICIdial on AWS EC2: instance sizing, the Elastic IP for the public-IP requirement, security groups for SIP and the RTP UDP range, EBS for recordings, and the cost reality.

You can run VICIdial on AWS EC2, and people do. It is more moving parts than a plain VPS and the bill is less predictable, but if your shop already lives in AWS it keeps everything in one account. The work is the same shape everywhere: a public address, open media ports, and an Asterisk config that advertises the right IP. AWS just spreads those across more services.

Size the instance

Pick a compute or general-purpose family with real CPU. A c6i.xlarge or m6i.xlarge (4 vCPU) handles a small campaign; scale up before agent count outruns the cores. Avoid burstable t-class for production dialing, because credit throttling shows up as audio jitter at the worst moment. Telephony is sensitive to scheduling latency, so steady CPU beats cheap CPU. If your Carrier and agents disagree on Codec, every call transcodes and the cores fill faster than you expect.

Attach an Elastic IP

By default an EC2 instance gets a public IP that changes when you stop and start it. That breaks a registered SIP trunk overnight. Allocate an Elastic IP and associate it so the address is stable. VICIdial must be reachable at a fixed, routable address for SIP (Session Initiation Protocol) to register and for media to come back. The public-IP requirement is non-negotiable; we explain why in the public IP requirement guide. An Elastic IP also lets you re-point a replacement instance without re-registering everything.

Security groups for SIP and RTP

AWS security groups are stateful allow-lists on the instance. Add an inbound rule for UDP 5060 (SIP signaling) and a second rule for the RTP media range, UDP 10000-20000. Both must be open inbound or audio dies even though the call connects. Scope the SIP rule to your carrier's source IPs; do not leave 5060 open to 0.0.0.0/0, or you will see scan traffic and fraud attempts within the hour. Remember the network ACL on the subnet too if you tightened it past defaults.

flowchart TD
  Net[Internet] --> EIP[Elastic IP]
  EIP --> SG[Security group]
  SG -->|UDP 5060 SIP| EC2[VICIdial on EC2]
  SG -->|UDP 10000-20000 RTP| EC2
  EC2 --> EBS[EBS volume recordings]

NAT and the SDP IP

An EC2 instance has a private VPC address on its interface and the public Elastic IP is mapped one-to-one upstream. Asterisk never sees the public IP locally, so you must set externip to the Elastic IP and list your VPC CIDR in localnet. Skip that NAT traversal step and the SDP advertises a 10.x address the carrier cannot route, giving you the textbook one-way or no-audio call. Get this and the security groups right and the line works.

Recordings and snapshots

Call recordings grow fast. Put them on a dedicated EBS volume so you can size and back it up independently of the root disk. For point-in-time backup, an EBS snapshot or an AMI captures the instance like a Server snapshot on any other cloud. Take one before upgrades. Snapshot creation runs in the background and is not instant on a large recordings volume, so it is a rollback plan, not an undo button.

The cost and complexity reality

AWS gives you every knob, and that is the trade. Between instance hours, the Elastic IP, EBS, snapshot storage, and data transfer out, the bill has more lines than a flat VPS, and the hardening is still on you. A careful hand-built install is hours of work before the first dial. The cloud fundamentals are the same across providers, which is why we wrote the VICIdial in the cloud guide. Hetzner is usually the cheaper home for a single dialer, as we cover in running VICIdial on Hetzner. We provision a secured box for you in under 40 seconds and you keep root SSH plus your own carrier; see pricing if the AWS bill math stops being worth it.